So recently we moved to a new server setup. All settings on the new server were setup the same as the old cpanel server. However I am seeing more username@server.hostname.com than previously in the email logs and WHM summary reports.

I get emails from root@server.hostname.com as these are server status emails. But I am seeing domainuserid@server.hostname.com being sent out to emails.

Spam has always been foreign to me but I am slowly learning how to track it down. This was one thing that popped on my radar. When an email comes from domainuser@server.hostname.com what should I be looking at to track down exactly what account was compromised?